What advice do you have for others considering Qualys Patch Management?

In Qualys, it can not only push patches but also apply registry changes and PowerShell scripts on the system, supporting greater automation. Qualys patch management is a better choice.

I rate Qualys eight out of 10. It's a great tool, and if I consulted for a client, I would recommend it.

My thoughts on the risk-based approach for creating automations to prevent or address risks are as follows: we live at a time when risk exists, and when looking at automated patch management and administration, I am looking at issues of logging and real-time information from the vendor as well as from my organization. We do not take an approach where one instance or one product serves or covers all. We augment patch management together with the vulnerability management tool, and these work together. Whenever a new change is identified or a threat is identified, I am sure that my systems are then safe. Though sometimes people fear automation, we make sure that everything is up to date and verify what comes through. Regarding the TruRisk automation, it helps me remediate vulnerabilities without needing to involve my security team, but systems can give false positives at times. Though I would not say I am 100% safe, the chances of risk hitting my services or platforms are low. There is still a human element to account for instances where there might be a false positive alarm that needs oversight. Personally, I believe that with automation and the quality of Qualys, which has been tested, it is the best. Qualys Patch Management gives me a single source of truth, providing insight into my assets and the vulnerabilities that need to be prioritized and remediated. The patch management allows me to know what is coming and helps me identify and be aware of changes happening on the platforms. It answers to the call that vulnerability management gives, and since vulnerability management and cloud platforms are always online, it is easier to ensure that at whatever time there is a change, I am at least shoulder high or above what the normal person or computer user would use. I do use the risk reduction recommendation report from Qualys, and we look at it as an advisory for my IT team. We take those reports to what we call the university ICT committee. When we look at those items, we bring them as reports and recommendations. Technology changes every day, and those reports help us know where to invest and what to add within the DMZ and servers. Should there be any changes, I am appraised. It is easier for the IT department, when going to the ICT committee, to table something that is valid and legitimate. In terms of how much Qualys Patch Management has reduced my organization's risk, I can put it at 80% if I exclude the human element, which is the highest risk I have always seen around because of insider threats. I have seen an improvement in my patch rates by 95%. This is because we utilize platforms that come from a pool of vendors that deploy patches instantly whenever a vulnerability is identified, although some of our legacy systems which are internally built may not get that instant patch. I think the pricing of Qualys Patch Management is affordable for me because if it were beyond my reach, my accountant would have suggested going with open source solutions. The solution was purchased through a partner. We belong to a consortium of entities under one company, and most of the organization utilizes it, with procurement handled centrally while I request any needed modules. The solution requires renewals, but updates happen in sync. I just get an alert about new updates, and then it is automated to post onto the instance from the cloud. I would recommend Qualys Patch Management 100% because it works for me, it is a necessity for IT SOC teams, and it is easy to deploy and understand. I rate this review at a nine out of ten.

The solution helps reduce the amount of ticket processing time because the proactive nature of the solution allows for proactive risk patching. Users do not need to report issues, so by the time they encounter a notification or problem, it has already been handled by Qualys Patch Management, which helps reduce ticket volume by about 30%. For us, this is the most important aspect because we are usually an outside service provider, and when we have too many unresolved tickets, it becomes an issue for us. Our priority is to maintain the lowest number of tickets, and this is how Qualys Patch Management contributes to our operations. For most clients, deployment depends on their size. Usually, smaller teams deploy the solution locally, but as the number of devices increases, we push deployment toward the cloud. Deployment is typically in the cloud, especially for environments with 300 to 1,000 devices. I would advise others that using Qualys Patch Management integrated with other Qualys solutions yields the best results. While Qualys Patch Management is a good tool by itself, integration with other solutions significantly enhances its value. Organizations should also anticipate substantial effort in setup and deployment, especially with agent deployment. My overall rating for this solution is 8.5 out of 10.

In my relationship with Qualys Patch Management, I am working as a third-party auditor in EY, KPMG, and Deloitte. I work as a third-party auditor consultant; we audit compliances as well as security audits performed on various products as per client-specific requirements. The process of generating tickets has become much more efficient, especially for requests from roles like secretaries, IAS officers, or personnel in the government sector, which often demands quick reporting. This tool allows for the quick generation of reports after applying necessary filters. For instance, retrieving details on outdated assets or projects can happen swiftly as long as the patch management software and CMDB are current. However, I emphasize the importance of using genuine licensed products rather than attempting to use pirated versions. Qualys Patch Management has significantly reduced overall risk in my organization, which I would quantify highly on a scale of one to ten. Patch Management plays a role in risk reduction by directly addressing vulnerabilities; for instance, it showcases CVSS scores distinguishing which vulnerabilities are patched. Patch management applies updates promptly once vulnerabilities are identified, thus eliminating associated risks. Using the example of an iPhone, if the current version denotes a problem, it highlights the necessity for updates which are crucial for mitigating risks. Overall, Qualys Patch Management enables customers to receive comprehensive recommendations, streamlining what typically requires third-party auditing. I utilize the risk reduction recommendation report in patch management; it indicates measurable security exposures. For example, if a high-risk exploitative vulnerability is detected, it prioritizes mitigation based on severity scores, facilitating quicker patch management actions. Post-verification allows for real-time updates on vulnerability statuses, reducing the need for subsequent audits or patch verifications. It shows near real-time metrics focusing on critical vulnerabilities before or after management takes place, alongside findable data on MTTR and patch compliance. Qualys VMDR and Patch Management support continuous verification, enabling measurable reduction in critical exposure, aiding prioritization efforts for true risk vulnerabilities. Within our data centers, we integrate the solution with CMDB or ITSM tools for ticket management, utilizing asset tagging within CMDB. Asset tagging includes various factors like host names, IP addresses, operating systems, and environmental data concerning production or non-production scenarios. For any necessary patch management changes requiring workflow alignment, we can trace everything effectively under the CMDB. From an audit perspective, the time savings depend on the tools used; for instance, using Qualys Patch Management compared to alternative tools saves considerable time on report creation and other lengthy processes. Patch management can take around twenty to seventy-two hours based on a CVSS score over nine for zero-day vulnerabilities, about seven days for high risks with scores of seven to eight point nine, and for low risks, patch management ranges from thirty to sixty days due to lower impact and lack of urgency from clients regarding low vulnerabilities. I do use Patch Management with VMDR, so Qualys Patch Management is integrated with VMDR. If we separate tool functionalities, one tool dedicated to patch management and another for vulnerability management can complicate things. But if we connect through APIs, maintaining a single platform saves a significant amount of time. A tool that handles assessment, reports, and remediation using a unified platform is beneficial for system integrators, clients, and engineers alike. Additionally, as a system integrator, I find that continuous vulnerability detection is effective through cloud agents and network scans, which also aids in ongoing monitoring. Qualys Patch Management is utilized by approximately three hundred to five hundred individuals within government organizations. In the private sector, particularly among larger firms like the Big Four, this number can extend to around five to six thousand users. The solution generally requires only licensing costs for maintenance. If you possess a valid license, you gain access to updates. Customer support is an add-on, so basic assistance comprises part of the license agreement. I give the technical support a rating of ten out of ten. I have already endorsed Qualys Patch Management to several public sector undertakings and private banks, as well as organizations associated with government certifications where the product is recognized on the whitelisted tools list for state data centers and SWANs in India. I have given this solution an overall rating of nine out of ten.

The risk-based approach is essential. When you enroll devices, Qualys automatically identifies vulnerabilities, focusing on reducing risks to your company, not just patching browsers or applications but also addressing outdated software and misconfigurations. Collecting this data allows for automated and prioritized patching based on risk. I have used Qualys Patch Management for just one year, but I have handled many clients during that specific time period. We always do proof of concept and demonstrations to our clients, so I believe I can deliver more details regarding Qualys Patch Management. I have used the Risk Reduction Recommendation Report. There are several types of reports in Qualys, including technical reports and managerial or CEO reports. Qualys offers comprehensive reports detailing vulnerabilities, recommendations, next action plans, and risk reductions, along with insights into potential MITRE attacks. This information allows clients to fortify their systems and reduce attack risks. I haven't integrated Qualys Patch Management with any CMDB or ITSM tools for ticket management yet, but I believe Qualys Patch Management cannot be integrated with CMDB. However, Qualys CSAM can easily integrate with CMDB without needing an API. It focuses on cybersecurity risks, adding devices to Qualys Patch Management directly from CMDB as long as they have the Qualys agent installed. It's a best practice to implement Qualys Patch Management alongside vulnerability management as part of the remediation process in Qualys. If clients lack a Qualys Patch Management subscription, the reports can still provide details on vulnerabilities and recommendations. However, we encourage them to add Qualys Patch Management subscription to ease the patching process for their devices. Maintenance can be challenging, especially if there are bugs or errors in Qualys Patch Management. The difficulty mainly arises when deploying patches, which can significantly affect IT operations. However, Qualys offers support to assist with these issues. I have resigned from my previous company, but I have the knowledge, skills, and fundamentals in using Qualys. I would rate this product overall as an 8.

I use Qualys Patch Management with VMDR. This integration with VMDR is important for me. Qualys Patch Management gives me a single source of truth for assets and vulnerabilities that need to be assessed, prioritized, and remediated. I use the Risk Reduction Recommendation report in Qualys Patch Management. The Risk Reduction Recommendation report is helpful. Qualys Patch Management helps me streamline remediation and gives me a good starting point. If the risk-based approach to automation is set up correctly, it performs excellently. For newer deployments of Qualys Patch Management, typically one person handles the implementation. I maintain Qualys Patch Management consistently, so it requires minimal effort on my end. My advice for new users of Qualys Patch Management is to spend time at the training center. A streamlined initial video guide would be beneficial. I rate Qualys Patch Management an eight out of ten overall.

I think that's where we have to go as an industry because you can't address everything all the time. Adding the risk on top, if it's an external asset compared to something internal inside your vault, the risk is much greater for exfiltration of data. The risk-based approach absolutely is the right way to go about it.I rate Qualys Patch Management a nine out of ten.

I use Qualys Patch Management with VMDR. On a scale from one to 10, I would rate Qualys Patch Management a nine overall.

I would recommend this product to other users because it's very user-friendly. I can't speak to the pricing aspect, but from a user standpoint, it's a very good product. I would rate it a nine out of ten.

I do not use the solution's integrations with CMDB or ITSM tools for ticket management. Adding Qualys Patch Management affected my infrastructure positively, as it replaced BigFix, allowing for better integration of patch management with our existing vulnerability management, resulting in improved report access and vulnerability fixing. The integration with risk management like VMDR and other security solutions provides significant benefits for eliminating vulnerabilities and avoiding exploitation. The single source of truth provided by Qualys Patch Management has helped reduce costs by integrating multiple tools into a single platform, making it easier to analyze and user-friendly. On a scale of one to ten, I rate Qualys Patch Management an eight out of ten.

Regarding whether Qualys Patch Management gives a single source of truth for assets and vulnerabilities that need to be assessed, prioritized, and remediated, I cannot say we solely rely on it. We are also using VMDR, as we do not depend only on the patch management module for patch priorities. Our patch priorities are established using the VMDR for vulnerability prioritization, and the patch criticality comes after that. I saw the benefits of Qualys Patch Management after we started using it. Before purchasing Qualys Patch Management, we remedied around 100 or 150 vulnerabilities from more than 90,000 vulnerabilities. We still remedy 150 or 160 vulnerabilities, but the management was aware of that because we were doing it manually. When we started the Patch Management module during the testing phase, we remedied 400 vulnerabilities in a month. That was very impressive from the management perspective. They agreed to move out of the testing phase, so we could bring up the process for some common vulnerabilities such as Google Chrome, Microsoft Teams, or any other related software we are using. The true risk automation helps us remediate vulnerabilities without needing to involve the security team. Although we did not actually rely on the true list dashboard because we are using the QIDs released. By using the QID, we are able to update the formulas automatically. We do it manually in some cases due to applications that have dependencies on servers we need to exclude. I have not used the risk reduction recommendation report. We are using the normal vulnerability scan report generated from VMDR. From the Patch Management perspective, we only generate the report once the patch is completed, where we assess which patches have failed and why. We do not use integrations with CMDB or ITSM tools for ticket management yet, as the management is not approving that particular request. However, integrating that would make automation and report generation much easier, allowing us to segregate the tasks among different teams, applications, or servers. The integration in VMDR is very important for us, as we are getting many dashboards by different criteria, such as SLA. We differentiate on SLA based on critical, high, or medium criteria, so we are using trending formulas also. It is very helpful for us to prioritize the vulnerabilities by considering the exploitability rate and if it is publicly available. Overall, I would rate Qualys Patch Management a ten out of ten for everything.

I would rate Qualys Patch Management an eight out of ten.

I would recommend it because of its ease of use and integration as both a Vulnerability Management and Patch Management tool. I rate it nine out of ten.

I would give it a ten out of ten. It is an excellent module to have within the environment, as most environments have Windows Patch cycles, but not for third-party applications. Patch Management not only addresses third-party applications but can also patch vulnerabilities. It allows seamless deployment from the console if a patch for a vulnerability is available. I would rate the overall solution a 10 out of 10.

It is a very good tool to reduce the vulnerabilities in our organization. Our current usage is about 70%, but we have started utilizing more features. We are planning to increase its license in our environment when there is an increase in the assets. I would recommend it to others. It is a very good solution for finding vulnerabilities and patching them. I would rate Qualys Patch Management an eight out of ten.

I would recommend Qualys Patch Management to others because it is user-friendly and has a wide database of vulnerabilities and patches. I am fond of Qualys, having started my journey with them. Overall, I would rate the solution a ten out of ten.

I would rate Qualys Patch Management nine out of ten because there is room for improvement in tool features to enhance competitive market standings.

It automates the patching process, making it more efficient and reducing IT teams' workload by focusing on critical patches. The tool provides real-time visibility into patch status, ensuring you always know where you stand. It integrates smoothly with existing IT workflows.

Overall, I would rate Qualys Patch Management a nine out of ten.

I would rate Qualys Patch Management a nine out of ten. Qualys Patch Management is deployed in multiple departments and locations. We have five members that administor the solution. No maintenance is required from our end. I recommend Qualys Patch Management because it is effective in past deployment and vulnerability management. It identifies necessary patches instead of scanning the entire machine.

I would recommend Qualys Patch Management because of its efficiency, scalability, and excellent support. I would rate Qualys Patch Management an eight out of ten.

It took us some time to realize its benefits. I went to a Qualys conference, and that was when I started to realize its benefits. Till then, I thought Rapid7 was a good one or Manage Engine was a good one. I thought those products were good, and they also patch third parties whereas Qualys did not patch third parties. After going to Qualys, they explained there is a way to do that. It was a longer way, which I did not do. We decided to go with an MSP that specializes in installation and fine-tuning the Qualys product. When they did everything, I did not have to touch any configuration with Qualys Patch Management. Everything was going through. With the way we did things previously, it was going through, but it was a longer approach. It was taking a little longer and was more manual. We did not properly utilize tagging. We did not properly utilize the patching process scheduling. The MSP guys did tagging. They did automation of the patch management according to the risks. That was very important. Previously, we had six or seven jobs and sometimes, we manually patched individual machines. After the MSP guys did the fine-tuning, we had only two scheduled jobs, and that was it. The first job does 10 to 15 testing computers, and then the next one does the old machines. I would rate Qualys Patch Management a nine out of ten.

I would rate Qualys Patch Management a nine out of ten.

When we did our PoC, we already had the VMDR piece. We enabled the patch piece and brought the right hand and the left hand together. This integration automatically should include all the relevant patches and configuration changes required to remediate vulnerabilities detected by VMDR. It will be crucial. That is still to be determined, but when two of our critical service delivery organizations are using the same sheet of music or the same tool, it makes us more agile and more responsive to the threats we are trying to protect our business against. I would rate Qualys Patch Management a nine out of ten.

I would rate Qualys Patch Management eight out of ten. We have three environments: production, development, and QA. To perform patching, we must coordinate with the application team and schedule downtime. Due to the critical nature of the business application running on the production servers, we cannot automate patching; instead, we use satellite servers. Our organization has between 20 and 30 people who use Qualys Patch Management. In the two and a half years I've used Qualys Patch Management, I haven't observed any need for maintenance on the tool. Qualys Patch Management is a valuable tool for large organizations seeking to maintain a secure infrastructure.

At this time, I would not recommend Qualys Patch Management because there are multiple features that need to be developed from their end. You cannot deploy everything through it. I might recommend it in the future. It needs some time to be fully developed. I would rate Qualys Patch Management a six out of ten because of the support quality and lack of features.

I would rate Qualys Patch Management ten out of ten. While the initial setup involves deploying cloud agents, Qualys Patch Management is low maintenance. Updates for both agents, signatures, and related components are automatic. Qualys handles maintenance in the cloud, and new systems are easily enrolled with agents through software distribution or policy enforcement. New Qualys Patch Management users should consult the documentation and training resources before deploying. While a trusted partner can assist with implementation, understanding the process is crucial. Qualys offers free training to cover essential steps like agent deployment, configuration, and security considerations to ensure successful patching. Don't skip these steps, as seemingly minor setup issues can hinder functionality. This applies not just to Qualys, but to any endpoint security solution.